I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Dr. Web's chief executive Boris Sharov, who says Apple never responded when the firm shared its findings on the Flashback botnet.

Updated with more details of Apple’s response below.

Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets. And according to the firm that discovered this new outbreak, it could use a lesson in teamwork.

Boris Sharov, chief executive of the Moscow-based security firm Dr. Web says he learned Monday from the Russian Web registrar Reggi.ru that Apple had requested the registrar shut down one of its domains, which Apple said was being used as a “command and control” server for the hundreds of thousands of PCs infected with Flashback. In fact, that domain was one of three that Dr. Web has been using as a spoofed command and control server–what researchers call a “sinkhole”–to monitor the collection of hijacked machines and try to understand their behavior, the technique which allowed the firm to first report the size of Apple’s botnet last week.

“They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” says Sharov. “This seems to mean that Apple is not considering our work as a help. It’s just annoying them.”

Sharov believes that Apple’s attempt to shut down its monitoring server was an honest mistake. But it’s a symptom of the company’s typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn’t received a response. “We’ve given them all the data we have,” he says. “We’ve heard nothing from them until this.”

I’ve contacted Apple for comment, but haven’t yet heard back from the company either.

In Apple’s defense, it may not have recognized Dr. Web as a credible security firm when the company contacted Apple earlier this month–I hadn’t heard of the firm either until its discovery and analysis of the Flashback botnet. But the better-known security firm Kaspersky confirmed Dr. Web’s findings on Friday. A Kaspersky representative said it hadn’t contacted Apple with its findings and hadn’t had any direct communication with Apple, and Kaspersky researcher Kurt Baumgartner wrote in a statement that “from what we’ve seen, Apple is taking appropriate action by working with the larger internet security community to shut down the Flashfake [also known as Flashback] C2 domains. Apple works vigorously to protect its brand and wants to rectify this.” Kaspersky wouldn’t offer more details on how Apple is working with the security community.

Update: Apple now says it will release a Flashback removal tool and is “working with ISPs worldwide” to disable the botnet’s command and control servers.

Locating and shutting down command and control servers is typical practice for a company trying to behead and cripple a botnet targeting its computers. Sharov says that Dr. Web has worked with Microsoft several times in the past on those efforts. But Apple, which has never dealt with a botnet the size of the Flashback infection, has fewer ties to firms like Dr. Web, Sharov says. “For Microsoft, we have all the security response team’s addresses,” he says. “We don’t know the antivirus group inside Apple.”

Sharov, likeothers, criticizes Apple for its delay in issuing a patch for a security vulnerability in Java that the Flashback malware exploited to invisibly install itself on Macs when users visit infected web pages. The bug was patched by Oracle in February, but Apple didn’t fix the flaw until earlier this month. “Their response should have been much earlier when they should have updated their Java,” says Sharov. “Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing.”

(Read about how to check your computer for Flashback and remove it here.)

Dr. Web and Kaspersky both estimate that more than 600,000 Macs are infected with Flashback, which would represent more than 1% of all of Apple’s PCs. So far, the botnet is being used for click fraud rather than credit card theft. But its sheer size represents a shift in the cybercriminal underground, which has long ignored Macs to focus on Windows’ larger market share.

Apple’s less-than-diplomatic handling of Dr. Web’s work wouldn’t be the first time it’s raised the hackles of the security research community. When well-known Apple researcher Charlie Miller created a proof-of-concept app demonstrating a flaw in Apple’s security restrictions, the company responded by revoking his developer’s license.

Sharov says he can understand Apple’s brusque response to his researchers’ work. “These are not pleasant days for them,” he says. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Any and all OS’s that are designed to run executable code are vulnerable to running ‘bad executable code’ .. It’s pretty clear that the only reason Mac OSX has stayed out of ‘trouble’ is because malware writers just haven’t been interested in creating code for it. The real bad part about it is Apple’s attitude towards dealing with it. I sincerely hope this helps bring them down from “the clouds” (pun intended of course) back to earth.

I have had a hard time finding out in all the stories just how a user is infected by this bot. Can you enlighten? I understand the vulnerability, but it seems the user was also somehow involved – tricked into running a bogus installer, or lured to a bogus website. Is this true? Or did this trojan install itself with NO user interaction or permission given?

And no, Apple users do not feel invulnerable. Complacent, yes. But the lure of headlines to be the first to run rampant thru Macs has been out there for years, so I’m not sure I buy the “not enough of a target, yet” argument.

Last, the overall state of the major OSes today in their ability to defend themselves, is so vastly improved over years past. There will always be those who can find and wiggle through cracks, so no one is ever safe and secure. But I think it’s better than it’s ever been, for the average user. IMHO.

Flashback has been installing itself through visits to infected websites. But that’s the extent of the user interaction: The user clicks on a link or otherwise navigates to the rigged website, and Flashback is installed on their machines.

It is interesting that the vulnerability that provided the door to the Flashback trojan was in Java. This makes non-Windows platforms vulnerable to the extent that there is a common-mode vulnerability in a library or the JVM itself. Apple’s problem was that, because they roll their own Java release, they allowed far too much time to go between the Oracle release of the security update to their consumers and made the vulnerability known thereby.

A clue that I had recently was when I performed a full system scan on my Windows 7 system using Microsoft Security Essentials. MSE found and quarantined a few files that were in the Java installer cache. These might have been residue of older Jave editions. (I keep my Java installation updated, and my system and anti-virus are kept current.) I will be doing full system scans more regularly now, though.

The delay between disclosure of a vulnerability and any exploit has a problem with bundles that are redistributed on various open-source systems also. For example, a vulnerability that can be exploited in crafted ODF 1.2 documents impacts all of the OpenOffice.org-lineage releases since OpenOffice.org 3.0. While the latest LibreOffice releases remove the vulnerability, it will be some time before Linux distributions provide those versions in their platform-based bundles. Although the Apache project released an out-of-cycle patch for OpenOffice.org 3.3.0, that requires knowledgeable users to obtain the patch and apply it. Upon pending Apache OpenOffice 3.4 release, that door will be closed more easily, but not for users who remain on earlier, unpatched OO.o 3.x releases and their descendants from other sources.

I suppose the lesson is that the systems for deployment and the reticence or inability of users to keep current all add lag and extend the window in which a vulnerability can be exploited profitably. That a producer adds to that delay by failing to have an update available does not help and it should be embarassing when a serious exploit drives through that unguarded entrance. Unfortunately, response to embarassment is not always process improvement and heightened trustworthiness.